"SfR Fresh" - the SfR Freeware/Shareware Archive 
Member "amavisd-new-2.6.1/README_FILES/README.old.scanners" of archive amavisd-new-2.6.1.tar.gz:
As a special service "SfR Fresh" has tried to format the requested source page into HTML format using source code syntax highlighting with prefixed line numbers.
Alternatively you can here view or download the uninterpreted source code file.
That can be also achieved for any archive member file by clicking within an archive contents listing on the first character of the file(path) respectively on the according byte size field.
1 ---------------------------------------
2 This file is old and not up-to-date !!!
3 ---------------------------------------
4
5 AMaViS & virus scanners
6 ***********************
7
8 Contents:
9 1 List of supported antivirus products
10 2 Setting up the commandline options
11 3 Antivirus product information
12 3.1 Specific Antivirus product information
13 3.1.1 How to use Kaspersky Anti-Virus AVPDaemon
14 3.1.2 Kaspersky Anti-Virus
15 3.1.3 VirusBuster (Daemon / Client)
16 3.2 Return codes
17 4 Updates
18 4.1 Update scripts
19 4.1.1 Script for Sophos Sweep
20 4.2.2 Script for NAI uvscan
21 4.2.3 Script for Kaspersky Anti-Virus
22 5 Why AMaViS will never stop all viruses
23 5.1 Blocking certain file(s) / file type(s)
24
25
26 1 List of supported antivirus products
27 AMaViS currently supports the following antivirus products (mostly for Linux)
28
29 * CyberSoft VFind
30 * F-Secure Inc. (former DataFellows) F-Secure AV
31 * H+BEDV AntiVir/X
32 * Kaspersky Anti-Virus (kavscanner and kavdaemon)
33 * Network Associates Virus Scan for Linux
34 * Sophos Sweep
35 * Trend Micro FileScanner
36 * CAI InoculateIT (currently only the old 4.x version is supported!)
37 * GeCAD RAV AntiVirus 8 (engine version 8.5 or better required!)
38 * ESET Software NOD32 (command line scanner and daemon/client)
39 * Command AntiVirus for Linux
40 * VirusBuster
41 * Sophie, using Sophos AntiVirus Interface
42 * Trophie, using Trend Micro API
43 * FRISK F-Prot / F-Prot Daemon
44 * OpenAntiVirus ScannerDaemon
45 * DrWeb Antivirus for Linux/FreeBSD/Solaris (no support for DrWeb Daemon yet)
46 * MkS_Vir for Linux
47 * CentralCommand Vexira
48 * Norman Virus Control for Linux
49
50 If you miss support for a specific product, please write to
51 Rainer Link <link@suse.de>.
52 For an up-to-date product list, see http://www.openantivirus.org/
53
54
55 2 Setting up the commandline option
56 I advise you to look at the commandline parameters for the scanner(s) you use
57 with AMaViS. Each scanner has its own section at the beginning of the scanmails
58 script and the commandline options can be set with <product_name>_cmdl, i.e.
59 antvir_cmdl. Please read the documentation of your antivirus software
60 carefully and add (or remove) specific options.
61 If an antivirus product provides the functionally to scan inside (run-time)
62 compressed files (i.e. Diet, LzExe, PkLite, UPX) and archived files
63 (i.e. PkZIP, RAR), I would advise to switch this on, if it's not on by default.
64
65 3 Antivirus product information
66 3.1 Specific Antivirus product information
67 3.1.1 How to use Kaspersky Anti-Virus AVPDaemon
68
69 Two possible setups exist:
70 a) AVPDaemon and AVPDaemonClient (in new package renamed to AvpDaemonTst)
71 switch into AVPDaemon/DaemonClients and compile AvpDaemonClient.cpp (new
72 location seems to be Sample) with a simple "make". Then copy this file to
73 the location where AVPDaemon is installed (i.e. /usr/local/avp or /opt/AVP).
74 Run configure, make and make install.
75
76 b) AVPDaemon alone (AVPDaemon works in daemon mode and client mode)
77 symlink AvpDaemonClient to AvpDaemon, as configure searches for AvpDaemonClient
78 (and AvpDaemonTst). In amavis/av/avpdc, change the line
79
80 $output = `$avpdc $TEMPDIR/parts`;
81
82 to
83
84 $output = `$avpdc -o{$TEMPDIR/parts/}`;
85
86 run ./configure, make and make install.
87 Well, AVPDaemon (in client mode) shows no output and it can not be switched
88 to verbose mode. Therefore setup a) is the one I currently recommend,
89 otherwise your logfiles don't show which file(s) is/are infected.
90
91 NOTE: AvpDaemon must be running as a daemon, so it should be started at
92 boot time via an init script (or whatver) as <path>/AvpDaemon -* /var/amavis
93
94 3.1.2 Kaspersky Anti-Virus
95 AvpLinx fills the log with a lot of trash because of a simple progress
96 bar by loading the AVC files.
97 If you do not want to have "log flooding", you may set
98
99 LongStrings=Yes
100
101 in file defUnix.prf, section Options. This will reduce the output when
102 AvpLinux is loading the AVC files.
103
104 3.1.3 Virus Buster (Daemon + Client)
105 Please keep in mind the VirusBuster Daemon has to run under the same
106 user id AMaViS runs as. Moreover, VirusBuster returns 3 for an infection
107 (which is not in sync with the man page).
108
109 3.1.4 Sophie / Trophie
110 By default, Sophie/Trophie creates a socket in /var/run, owned by root, group
111 uucp (read/writeable by owner and group). As AMaViS runs as user amavis,
112 it cannot connect to the socket. Please change the group
113 accordingly in sophie.h/trophie.h and re-compile.
114 If Sophie/Trophie is installed, but configure doesn't detect it, you need
115 to upgrade to version 1.15/1.03, resp., or better.
116
117 3.1.5 GeCAD RAV AntiVirus 8
118
119 The command line options changed with a new version of the virus scanning
120 engine. Therefore, you need at least engine version 8.5. If your engine is
121 too old, please update it (i.e. "ravav -UPDATE"). Just as a side note, with
122 the new engine, an update is later done with -u.
123
124 3.1.6 MkS_Vir for Linux
125
126 MkS expects its config file mks_vir.cfg in /etc.
127
128
129 3.2 Return codes
130 -----------------------------------------------------------------------
131 NAI VirusScan (uvscan) return codes:
132 -----------------------------------------------------------------------
133 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
134 as of version 4.x documentation "uvscan.pdf" or "unix403.pdf":
135 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
136
137 0 No errors occured; no viruses were found.
138 2 Driver integrity check failed.
139 6 A general problem.
140 8 Could not find a driver.
141 10 A virus was found in memory.
142 13 One or more viruses or hostile objects were found.
143 15 VirusScan self-check failed; it may be infected or damaged.
144 102 User quit via ESC-X, ^C or Exit button.
145
146 Exit code 102 occurs where the scan encounters an unespected error, such as
147 denied access or memory shortage. On these occasions, the scan exits
148 immediately and does not finish the scan.
149
150 -----------------------------------------------------------------------
151 Sophos Sweep Return Codes:
152 -----------------------------------------------------------------------
153 Bernhard Nowotny <nowotny@sigma-c.de> writes:
154 Error codes returned by SWEEP (thanks to christian.weber@sophos.com):
155 SWEEP returns error codes if there is an error or if a virus is found
156 SWEEP returns:
157 0 If no errors are encountered and no viruses are found
158 1 If the user interrupts the execution by pressing ESC
159 2 If some error preventing further execution is discovered, or if
160 compressed files have been found when using the -WC command line
161 qualifier
162 3 If viruses or virus fragments are discovered
163
164 A different set of error codes will be returned if SWEEP is run with the
165 -eec command line qualifier.
166 0 If no errors are encountered and no viruses are found
167 8 If survivable errors have occured
168 12 If compressed files have been found and decompressed
169 16 If compressed files have been found and not decompressed
170 20 If viruses have been found and disinfected
171 24 If viruses have been found and not disinfected
172 28 If viruses have been found in memory
173 32 If there has been an integrity check failure
174 36 If unsurvivable errors have occured
175 40 If execution has been interrupted
176
177 -------------------------------------------------------------------------
178 Kaspersky Anti-Virus (formerly AntiViral Toolkit Pro):
179 -------------------------------------------------------------------------
180 return codes of AvpLinux and AvpDaemonClient according to Readme.txt
181
182 0 No viruses were found
183 1 Virus scan was not complete
184 3 Suspicious objects were found
185 4 Known viruses were detected
186 5 All detected viruses have been deleted
187 7 File AvpLinux is corrupted
188
189
190 --------------------------------------------------------------------------
191 DataFellows F-Secure AntiVirus:
192 --------------------------------------------------------------------------
193 return codes of F-Secure AV according to fsav_lin.pdf documentation
194
195
196 0 Normal exit; no viruses or suspicious files found.
197 1 Abnormal termination; unrecoverable error.
198 (Usually a missing or corrupted file.)
199 2 Self-test failed; program has been modified.
200 3 A boot virus or file virus found.
201 5 Program was terminated by pressing CTRL-C,
202 or by a sigterm or suspend event.
203 6 At least one virus was removed.
204 7 Out of memory.
205 8 Suspicious files found;
206 these are not necessarily infected by a virus.
207
208
209 ------------------------------------------------------------------------
210 H+BEDV AntiVir/X
211 -------------------------------------------------------------------------
212
213 NOTE: Since AntiVir 6.12.x you must have a (valid) license key! Either
214 a free license for private use or a commercial license. Otherwise
215 AntiVir/X returns always 214 - regardless if a virus was found or not
216 and this is quite useless for AMaViS.
217
218 AntiVir/X return codes according to antivir --help
219
220 0: Normales Programmende, kein Virus, kein Fehler
221 0: normal program termination, no virus, no error
222 1: Virus in Datei (oder Bootsektor) gefunden
223 1: found virus in file (or bootsector)
224 2: Virus (evtl. aktiv) im Speicher gefunden
225 2: found virus (active?) in memory
226 100: AntiVir hat nur den Hilfetext angezeigt
227 100: AntiVir displays only help text
228 101: Es wurde ein Makro in einer Datei gefunden
229 101: macro found in a file
230 102: Der Parameter -once war angegeben und AntiVir lief bereits
231 102: parameter -once used, but AntiVir runs already before
232 200: Programmabbruch wegen Speichermangel
233 200: not enough memory - program termination
234 201: Die angegeben Responsedatei wurde nicht gefunden
235 201: response file not found
236 202: Innerhalb einer Responsedatei wurde @<rsp> angegeben
237 202: a respons file contains @<rsp>
238 203: Ungueltiger Parameter angegeben
239 203: unknown option
240 204: Ungueltiges Verzeichnis angegeben
241 204: directory not found
242 205: Die angegebene Reportdatei konnte nicht erzeugt werden
243 205: could not generate a report file
244 210: AntiVir hat eine benoetigte DLL nicht gefunden
245 210: AntiVir could not found a required lib
246 211: Programm abgebrochen, da Selbstpruefung fehlgeschlagen
247 211: Program termination - self check failed
248 212: Die Datei antivir.vdf nicht gefunden oder Lesefehler
249 212: File antivir.vdf not found or read error
250 213: Initialisierungsfehler
251 213: program init failed
252 214: Lizenzdatei nicht gefunden
253 214: License key not found
254
255 -----------------------------------------------------------------------
256 Trend Micro FileScanner (vscan) return codes:
257 -----------------------------------------------------------------------
258
259 0: no virus found
260 1: virus found
261 2: virus found
262
263 I do not have a list of return codes. Consider three files a, b and c. a and
264 b are infected, c is not infected:
265 /etc/iscan/vscan /tmp/test/a - return code: 1
266 /etc/iscan/vscan -a /tmp/test/* - return code: 2
267 /etc/iscan/vscan -a /tmp/test/ - return code: 0 (although two viruses
268 were detected)
269
270 -----------------------------------------------------------------------
271 Cybersoft VFind Return Codes:
272 -----------------------------------------------------------------------
273 0 If no errors are encountered and no viruses are found
274 23 If viruses or virus fragments are discovered
275 138 License expired or invalid.
276 255 A general error.
277
278 -----------------------------------------------------------------------
279 CAI InoculateIT - inocucmd command line utility 4.0:
280 -----------------------------------------------------------------------
281 100 - A virus was detected.
282 >2 - Some type of scan failure.
283 1 - User pressed cntrl-C.
284 0 - The scan has completed. No viruses were detected.
285
286 -----------------------------------------------------------------------
287 Command AntiVirus for Linux Return Codes:
288 -----------------------------------------------------------------------
289 Code Description
290 --- -----------
291 0-13: Fatal exceptions occurred. Abnormal termination.
292 5: Break signaled. The user interrupted the scan process
293 via the Break key.
294 13: The program performed GPF (General Protection Fault).
295
296 50: Nothing found.
297 51: At least one infection found.
298 52: At least one suspicious file found.
299 53: At least one virus was disinfected.
300
301 100: Scan engine shared library is incorrect or incompatible.
302 No scan was performed.
303 101: Scan engine failed to initialize. Insufficient memory
304 or critical condition. No scan was performed.
305 102: sign.def is either missing or is corrupt.
306 103: macro.def is either missing or is corrupt.
307 104: -virlist or -virno specified on the command line
308 105: -today has been specified and a scan has already been made
309 this day.
310 106: english.tx1 is either missing or is corrupt. NOTE: This
311 applies only to CSAV versions 4.57 or higher.
312
313 -----------------------------------------------------------------------
314 Virus Buster for Linux Return Codes:
315 -----------------------------------------------------------------------
316 Error codes according man page
317
318 OK (0) = everything is ok, no viruses.
319
320 VIRKILLED
321 (1) = Virus found and killed.
322 VIRNOTKILLED
323 (2) = Virus found not killed.
324 HEFOUND
325 (3) = heuristically Suspicious
326 HEUDOCFOUND
327 (4) = heuristically suspicious DOC file=20
328 PACKER
329 (5) = Packed file
330 IMMUNIZER
331 (6) = Immunizing hit
332 VSKMSG (7) = VSK message
333 SCANERROR
334 (64)= Error during scanning
335 ENGERROR
336 (65)= Engine error
337 EMPTYFNAME
338 (66)= There is no filename to scan
339 NOSUCCDMSTOP
340 (67)= Unable to stop the daemon
341 NOSUCCSTART
342 (68)= Unable to start the daemon
343 STATUSFAIL
344 (69)= Unable to ask the status
345 NOENARG (70)= Too less orr wrong parameters
346 UNKNCOMM
347 (71)= Unknown command
348 UNKNOPT (72)= Unknown option
349 DMTIMEOUT
350 (73)= Unable to connect to the daemon (timeout)
351 NOTREGISPRG
352 (74)= The program is not registered. You can't
353 start the client.
354
355 -----------------------------------------------------------------------
356 FRISK F-Prot for Linux Return Codes:
357 -----------------------------------------------------------------------
358
359 0 Normal exit. Nothing found, nothing done.
360 1 Unrecoverable error (for example, missing SIGN.DEF).
361 2 Selftest failed (program has been modified).
362 3 At least one virus-infected object was found.
363 4 <not used>
364 5 Abnormal termination (scanning did not finish).
365 6 At least one virus was removed.
366 7 Error, out of memory (should never happen, but well...)
367 8 Something suspicious was found, but no recognized virus.
368
369
370 -----------------------------------------------------------------------
371 GECAD RAV AntiVirus for Linux Return Codes:
372 -----------------------------------------------------------------------
373 #FILE_OK 1
374 #FILE_INFECTED 2
375 #FILE_SUSPICIOUS 3
376 #FILE_CLEANED 4
377 #FILE_CLEAN_FAIL 5
378 #FILE_DELETED 6
379 #FILE_DELETE_FAIL 7
380 #FILE_COPIED 8
381 #FILE_COPY_FAIL 9
382 #FILE_MOVED 10
383 #FILE_MOVE_FAIL 11
384 #FILE_RENAMED 12
385 #FILE_RENAMED_FAIL 13
386
387 #NO_FILES 20
388
389 #ENG_ERROR 30
390 #SINTAX_ERR 31
391 #HELP_MSG 32
392 #VIR_LIST 33
393
394
395 -----------------------------------------------------------------------
396 ESET Software NOD32 for Linux Return Codes:
397 -----------------------------------------------------------------------
398
399 NOD32_EXIT_CODE_OK 0
400 NOD32_EXIT_CODE_VIRUS 1
401 NOD32_EXIT_CODE_CLEANED 2
402 NOD32_EXIT_INTERNAL_ERROR 10
403
404
405 -----------------------------------------------------------------------
406 CentralCommand Vexira/Linux Return Codes:
407 -----------------------------------------------------------------------
408 Vexira is based on H+BEDV AntiVir/Linux, therefore the command line
409 parameters and return values seem to be completly identical
410
411 0: Normal program termination, no virus, no error
412 1: Virus found in a file or boot sector
413 2: A virus signature was found in memory
414 100: Vexira Antivirus only has displayed this help text
415 101: A macro was found in a document file
416 102: The option -once was gven and Vexira Antivirus already ran today
417 200: Program aborted, not enough memory available
418 201: The given response file could not be found
419 202: Within a response file another @<rsp> directive was found
420 203: Invalid option
421 204: Invalid (non-existent) directory given at command line
422 205: The log file could not be created
423 210: Vexira Antivirus could not find a necessary dll file
424 211: Programm aborted, because the self check failed
425 212: The file vexira.vdf could not be read
426 213: An error occured during initialisation
427 214: License key not found
428
429
430 --------------------------------------------------------------------------
431 Norman Virus Control for Linux:
432 --------------------------------------------------------------------------
433 return codes of Norman Virus Control according to man page
434
435 0 - No error
436 1 - File or boot sector virus found
437 2 - Virus detected in memory
438 3 - No scan area given
439 4 - Configuration file changed
440 5 - Bad argument
441 6 - I/O error
442 8 - Program error
443 10 - Files skipped
444 14 - virus detected and removed
445
446
447
448 4 Updates
449 Some antivirus companies provide updates for the virus definition files
450 (pattern files) for the latest virus/latest viruses in (a) small extra
451 file(s), i.e. Sophos Anti-Virus virus identities (IDE). See
452 http://www.sophos.com/downloads/ide/ for more information about IDE files.
453 For versions of sweep older than 3.37, these files are located in the
454 directory ide/ below your Sophos tree, i.e. /opt/sophos/ide and the
455 environment variable SAV_IDE should therefore be set to SAV_IDE=/opt/sophos/ide
456 in the AMaViS script. From sweep version 3.37 on, this is no longer necessary,
457 as sweep reads the ide directory location from /etc/sav.conf. The default is
458 /usr/local/sav.
459
460 NAI provides an extra driver, which has to be specified on the command line
461 via --extra /path-to/EXTRA.DAT
462
463
464 Please keep in mind that your antivirus software needs regular updates. Set up
465 a cron job with the appropriate ftp/ncftp/wget commands for automatic updates.
466 NAI provides a script in their PDF manual. F-Secure AV comes with their own
467 update program. I would also strongly recommand to subscribe to an alert
468 mailinglist, which most AV companies offer, to get information about the
469 latest virus outbreaks.
470
471 Note: please keep in mind an update process may fail. So, your script
472 should do first a backup, download the file(s) and after that starting
473 the virus scanner to check the eicar test file virus. If the virus scanner
474 does not exit with exit code "virus found" then your script should do
475 a roll-back and send an alert message to virusalert indication update
476 process failed.
477
478 4.1 Update scripts
479 The scripts are provided by users without any warranty. Use them on your
480 own risk.
481
482 For Sophos, see also http://www.sophos.com/support/faqs/autodown.html
483 ("How to automate the downloading of IDE files").
484
485 4.1.1 Script for Sophos Sweep by Reiner Keller
486 #!/bin/bash
487
488 #cd $SAV_IDE
489 cd /usr/local/lib/sweep-IDE
490
491 /usr/bin/wget -q -N `/usr/local/bin/sweep -v |/usr/bin/grep "Product version"
492 |/usr/bin/sed -e "s/.*: \(.\)\.\(..\)$/
493 http:\/\/www.sophos.com\/downloads\/ide\/\1\2_ides.zip/"`
494 /usr/bin/unzip -q -n "???_ides.zip"
495
496 chmod 644 *
497
498
499 4.1.2.1 Script for NAI (McAfee) uvscan by Matt Burke
500 #!/bin/bash
501
502 rm -f .listing*
503
504 datdir="ftp://ftp.mcafee.com/pub/datfiles/english/"
505 uvdir=/usr/local/mcafee
506
507 wget -q -O $uvdir/latest-dat.tar $datdir/`wget -qnr $datdir && grep tar
508 .listing | awk {'print $4'}`
509
510 tar --overwrite --directory=$uvdir -xf $uvdir/latest-dat.tar
511
512 4.1.2.2 Script for NAI uvscan by Brian K. West
513 #!/usr/bin/perl
514 # dailyupdate.pl
515 # Auto Update Daily DAT files from NAI uvscan for *nix
516 # By: Brian K. West <brian@bkw.org>
517 # Version 1.0.3
518 #
519 # This is used for Daily Dat file from NAI for early prevention.
520 # This version will email the admin when the DAT files are updated!
521 # I have also done some touchups to make the code cleaner.
522 # Also: $adminemail = "user\@domain.com"; you must escape the "@"
523 #
524 use LWP::Simple;
525 use Archive::Zip;
526
527 # Settings
528 $location = "http://download.nai.com/products/mcafee-avert/daily_dats/DAILYDAT.ZIP";
529 $tmpdir = "/tmp";
530 $uvscandir = "/usr/local/uvscan";
531 $mailprog = "/bin/mail";
532 $adminemail = "brian\@bkw.org";
533
534 $check = head("$location");
535 if($check) {
536 # Lets grab the next version if its ready!
537 print "Downloading DAILYDAT.ZIP ...\n";
538 $datfile = mirror("$location", "$tmpdir/DAILYDAT.ZIP");
539 if($datfile == "404") {
540 print "No Daily Dat Update avaliable!\n";
541 exit;
542 }
543 if($datfile == "304") {
544 print "You have the latest Daily Dat file installed!\n";
545 exit;
546 }
547
548 } else {
549 print "No Daily Dat Updates avaliable!\n";
550 exit;
551 }
552
553
554 my $zip = Archive::Zip->new("$tmpdir/DAILYDAT.ZIP") || die("error");
555 my @list = $zip->memberNames();
556 my $file;
557 print "Extracting DAILYDAT.ZIP to $uvscandir ...\n";
558 foreach $file (@list) {
559 if (!($file =~ /.*\/$/)) {
560 my $data = $zip->contents($file);
561 $file = lc($file);
562 my $newpart = "$tmpdir/$file";
563 print "Installing: $file\n";
564 open(OUTPART, ">$uvscandir/$file");
565 print(OUTPART $data);
566 close(OUTPART);
567 }
568 }
569 #unlink("$tmpdir/DAILYDAT.ZIP");
570 $check = `$uvscandir/uvscan --version | $mailprog -s \"Virus Scan Daily DAT Updated\" $adminemail`;
571 print "Daily Dat Installed!\n";
572
573
574 #!/usr/bin/perl
575 #
576 # Auto Update DAT files from NAI uvscan for *nix
577 # By: Brian K. West <brian@bkw.org>
578 # Version 1.0.1
579 #
580 use LWP::Simple;
581 use Archive::Tar;
582
583 # Settings
584 $location = "http://download.nai.com/products/datfiles/4.x/nai";
585 $tmpdir = "/tmp";
586 $uvscandir = "/usr/local/uvscan";
587
588
589 # Get Current Version of dat file.
590 $current = `$uvscandir/uvscan --version | grep \"Virus data file\" | awk '{ print substr(\$4,2,4) }'`;
591 print "Current version installed: $current";
592 #$current = 4085;
593
594 # Increase version number by 1
595 $needed = $current + 1;
596
597 $check = head("$location/dat-$needed.tar");
598 if($check) {
599 # Lets grab the next version if its ready!
600 print "Downloading dat-$needed.tar ...\n";
601 $datfile = mirror("$location/dat-$needed.tar", "$tmpdir/dat-$needed.tar");
602
603 if($datfile == "404") {
604 print "No updates avaliable!\n";
605 exit;
606 }
607
608 } else {
609 print "No updates avaliable!\n";
610 exit;
611 }
612
613
614 my $tar = Archive::Tar->new("$tmpdir/dat-$needed.tar") || die("error");
615 my @list = $tar->list_files();
616 my $file;
617 print "Extracting dat-$needed.tar to $uvscandir ...\n";
618 foreach $file (@list) {
619 if (!($file =~ /.*\/$/)) {
620 my $data = $tar->get_content($file);
621 my $newpart = "$tmpdir/$file";
622 print "Installing: $file\n";
623 open(OUTPART, ">$uvscandir/$file");
624 print(OUTPART $data);
625 close(OUTPART);
626 }
627 }
628 unlink("$tmpdir/dat-$needed.tar");
629
630 $new = `$uvscandir/uvscan --version | grep \"Virus data file\" | awk '{ print substr(\$4,2,4) }'`;
631 if($new == $current) {
632 print "Update Failed!\n";
633 print "You may have to do it manually!\n";
634 exit;
635 }
636 print "New installed version: $new";
637
638 4.1.2.3 Script for NAI DAT-files by Julio Cesar Covolato
639 (please have a look at http://www.psi.com.br/~julio/uvscan/ for the latest
640 version)
641
642 #!/bin/sh
643 ###################################################################
644 ################# UVUPDATE-1.2 #######################
645 ###################################################################
646 # Script to automate downloading and install new dat files
647 # from ftp.nai.com for the uvscan 4.x virus scanner.
648 ###################################################################
649 # $date Fri Mar 16 01:12:43 EST 2001
650 ###################################################################
651 # Written by Julio Cesar Covolato <julio@psi.com.br>
652 ###################################################################
653 # Read the files README, INSTALL and CHANGES before install
654 ###################################################################
655 #
656 #
657 #
658 ###################################################################
659 # MAKE THE CHANGES BELOW TO SUIT YOUR SISTEM
660 ###################################################################
661 #
662 ################################################
663 # Where are your binary uvscan and datfiles ???
664 ################################################
665
666 uvscan_dir=/usr/local/uvscan/
667
668 ####################################
669 # setup our commonly used programs
670 ####################################
671
672 grep=/bin/grep
673 mail=/bin/mail
674 wget=/usr/bin/wget
675 cut=/usr/bin/cut
676 tar=/bin/tar
677 rm=/bin/rm
678 ls=/bin/ls
679 chmod=/bin/chmod
680 sed=/bin/sed
681
682 #################################################################
683 # Setup email and subject to notify news versions, or problems :(
684 #################################################################
685
686 mail_to="root@localhost"
687 subject_ok=" UVSCAN - We got a new dat-file"
688 subject_bad=" UVSCAN - Something goes wrong :(( "
689 subject_nonew=" UVSCAN - No new dat-file for today"
690
691 ############################################################
692 # Setup wget flags ( see "man 1 wget" ).
693 # If you are behind a firewall, you can add " --passive-ftp"
694 # Thanks to Viraj Alankar <valankar@ifxcorp.com>
695 ############################################################
696
697 wget_opt="-N -q -t 30"
698
699 ###################################################################
700 # You don't need make changes below
701 ###################################################################
702
703 cd ${uvscan_dir}
704
705 # Get the actual running version of the datfile
706
707 DATVERSION=$(./uvscan --version|grep "Virus data file"|${cut} -c 18-21)
708
709 # Get the latest txt file info (delta.ini) from NAI, if there are a new one.
710 ${wget} ${wget_opt} ftp://ftp.nai.com/pub/antivirus/datfiles/4.x/delta.ini
711
712 # Extract the dat-version from the file delta.ini
713
714 DATVERSIONEW=$(${grep} CurrentVersion delta.ini|${cut} -c 16-19)
715
716 if [ ${DATVERSION} = ${DATVERSIONEW} ];
717 then
718 echo -e "\n\n\n\tThe uvscan has the latest version yet!"|${mail} -s "${subject_nonew}" ${mail_to}
719 exit # No new version! :(( Maybe tomorrow! )
720 else
721 # Get and Install it!!!
722 ${wget} ${wget_opt} ftp://ftp.nai.com/pub/antivirus/datfiles/4.x/dat-${DATVERSIONEW}.tar
723 ${tar} xf dat-${DATVERSIONEW}.tar
724 ${chmod} 744 *.dat
725 fi
726
727 # We got the new version installed! Test it...
728
729 NEWDAT=$(./uvscan --version|grep "Virus data file"|${cut} -c 18-21)
730
731 if [ ${NEWDAT} = ${DATVERSIONEW} ];
732 then
733 # Send an email to me, notifying the new version!
734 echo -e "\n\n\n\tNew dat file is: ${NEWDAT}\n\n\n" > newvirus.txt
735 $(sed) -n '/\* DV2/,/\* DV3/p' readme.txt >> newvirus.txt
736 cat newvirus.txt|${mail} -s "${subject_ok}" ${mail_to}
737 ${rm} -f dat-$DATVERSION.tar # we don't need anymore the old version
738 else
739 # Send an email to me, notifying that anything goes wrong... :((
740 echo "Go there: ftp://ftp.nai.com/pub/antivirus/datfiles/4.x/"|\
741 ${mail} -s "${subject_bad}" ${mail_to}
742 fi
743 exit
744
745
746
747
748 4.1.3 Script for KasperskyLab AVP by Andy Wallace
749 #!/usr/bin/perl
750
751 use Net::FTP;
752 # in the libnet package - you may have to get it from CPAN - I did.
753
754 # Directory to download into
755 $DIR="/usr/local/AvpLinux";
756
757 # Get current time and date
758 ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = gmtime(time);
759
760 # I just want this stuff so I can save each daily.zip as a different
761 filename with a date attached, so I know I haven't missed any. Format is
762 dailyddmmyy.zip (yes I'm British), so I need to make a few changes.
763
764 # Jan = 0, so add 1 to $mon
765 $mon++;
766 if ($mon<10) {
767 $mon="0$mon";
768 }
769
770 # Days of month are 1-31, so that's OK
771 if($mday<10) {
772 $mday="0$mday";
773 }
774
775 # gmtime thinks this year is 100! At least in my version of Perl...so
776 don't
777 use this script after 2099 :-)
778 $year -= 100;
779 if($year<10) {
780 $year="0$year";
781 }
782
783 # Connect to FTP server and download daily.zip
784 $ftp = NET::FTP->new("ftp.kasperskylab.ru", Passive, 1);
785 $ftp->login("ftp", someone\@somewhere.com");
786 $ftp->cwd("/bases");
787 $ftp->binary;
788 $ftp->get("daily.zip", "$DIR/daily$mday$mon$year.zip");
789 $ftp->quit;
790
791 # Check it turned up OK, if so unzip it, if not send an email
792 if (-e "$DIR/daily$mday$mon$year.zip") {
793 system("/usr/bin/unzip -o -qq $DIR/daily$mday$mon$year.zip -d
794 $DIR");
795 }
796 else {
797 system("/bin/mail -s \"Antivirus daily update failure!\" root");
798 }
799
800 # Now restart AVP daemon to load updated virus library
801 system("/usr/local/AvpLinux/AvpDaemon -k");
802 system("/usr/local/AvpLinux/AvpDaemon -* /var/amavis");
803
804 # End of perl script
805
806 Put a call to this in your root crontab to run it every day. e.g.
807
808 00 20 * * * /usr/local/bin/getupdate.pl
809
810
811
812 5 Why AMaViS will never stop all viruses
813 AMaViS is not an antivirus scanner, it's only an "interface" for virus
814 scanning at the eMail gateway in combination with one (or even) more of the
815 virus scanners listed above. Virus detection and stopping depends therefore on
816 the quality of the virus scanner. To get an impression about the detection
817 rate of antivirus products, please have a look at Virus Bulletin
818 (www.virusbtn.com), Virus Test Center (http://agn-www.informatik.uni-hamburg.de/)
819 or AV-Test (www.av-test.com).
820 Please keep in mind that viruses in encrypted eMails/attachments cannot be
821 detected! Also, if an infected attachment file is compressed with a
822 compression format for which AMaViS is not configured (we believe that the
823 most important formats are covered, though), it gets through, unless the
824 virus scanner(s) used is/are able to decode/uncompress it.
825 If this happens, it's the job of your client-side anti-virus software to
826 detect and stop the virus from spreading when the attachment gets decrypted
827 or uncompressed.
828
829
830 5.1 Blocking certain file(s) / file type(s)
831 AMaViS does not currently support blocking certain files by type or extension,
832 e.g. .vbs or .exe. Such a capability may be added in the future. But please
833 keep in mind that the file extension can be forged as easily as the MIME-type.
834 I advise you to read a posting to NTBugTraq from Nick FitzGerald, online
835 at http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0005&L=ntbugtraq&F=&S=&P=11152.